Cisco Support Community
Community Member

How do I setup ASA for 2 ISPs. One managed router

I need to setup like the pic. I can't change the internet IP of the TW router because it is managed and I do not have access. We don't want to redo the IP scope for the network. So I need the ASA to bridge that connection and then fail-over to the TWC cable if TW goes down. Currently there is only the TW connection and no ASA. This is a proposed solution.

Thanks for your help.

Community Member

I think better you could

I think better you could change addresses behind your asa's inside interface to another private subnet. Then you will be able to use existing subnet for transport between asa and TW router. All asa's interfaces will be L3 and ASA will work in routed mode.

Community Member

I agree with Alexey.  change

I agree with Alexey.  change the subnet behind your firewall to something else.  Use your firewall as a DHCP (if that is what you are using the tw router for as well).  then you can set two static default routes out (one weighted) to the two different ISP's.

Community Member

As the previous replies state

As the previous replies state, use an internal or DMZ network for your inside network. 

What your trying to achieve can be easily done with IPSLA, track the default route to the TW router and when that is no longer available the default route will automatically failover to the cable modem. Route tracking is available on the Cisco ASA. 


hope this helps. 

Community Member

I agree with Alexey and

I agree with Alexey and robpeay to change the subnet of your LAN which will be behind your ASA's inside interface.


As far as failover is concerned, I am going for ip sla tracking that Robert had suggested if it's supported on ASA because that allows your firewall to send probe to the gateway then if failure is detected, connection automatically shifts to the standby IP. Using static routes with different administrative distance can also be used but  if the problem resides on the ISP side and the physical ports on the ISP router facing your firewall remain up, sometimes a set up like this doesn't work well.



CreatePlease to create content